 Good afternoon everyone. My name is Maurice. I'm going to be your your host which means that I just get to go over a few of the ground rules and then let you get here for what you really wanted to hear about which is international policy 101. Like I said we're gonna start this off by letting you know that this is going to be on the record so that is gonna be streamed out and you know make sure that if you don't want to be on camera you take note of the camera behind you. As we're gonna be hearing from our panelist today they're gonna go through introduce themselves and then we'll have some Q&A at the end also at the end of the session there is gonna be a feedback slide so you can go ahead and scan the QR code let us know what you thought about it. During the session please keep in mind if you have anything that beeps makes any fun noises put that on silence so that way we don't all hear it and then lastly as a reminder if you are standing up please try to find a seat if not keep the hallways clear as best we can and with that let's go ahead and start thank you. Thank you very much Maurice and thank you all for coming and welcome to DEF CON. It's fantastic to be here great opportunity to share and we've got a wonderful panel to talk through international cyber security policy work. Just a few things from our side we have allocated about one hour 20 minutes for the kind of component of it the on-the-record component and the intention will be that that will enable people to come and ask questions afterwards and have kind of one-on-one conversation if that's helpful. Of course happy to flexible make the most of time but also that's the intention. So what we're gonna do is just start with a few personal instructions you know really excited to be here and so my name is Peter Stevens and I'm at the OECD which is that thank you that wasn't expected but greatly appreciated. So it's an international organization based in Paris which supports 30 member state countries on a range of policy issues and as you maybe tell from accent previously I was based in the Yard Kingdom where I worked in the Department of Digital Culture, Media and Sport and I led the secure by design policy initiative so the work on IoT security was my area so it's great to be here and what I'll do to pass down and then we can we'll have a start-up conversation. Hi all my name is Adam Debell, I work for the Australian Government at the Embassy in DC and my job is to engage with the US government and industry on cybersecurity policy. Hi there, Peter Brown I work for the European Parliament I'm a career civil servant there since 1990 although I did take 10 years sabbatical working in the private sector. I lead on tech policy for the what I call the eat your own dog food service which is where we examine within the Parliament how policy that we're adopting politically actually will have an impact within the IT services in the Parliament so it's sort of stuck between policy and operations. Hi everyone it's great to be here my name is Bryony Crown and I lead on all things cyber policy in the Embassy in DC for the British government but similar to Adam also these are all things I've got to see with the US and industry. I'm Aaron Schwartz I'm managing director of cybersecurity services at Venable also run the Center for Cybersecurity Policy and Law and previously in the Obama administration I was in the National Security Council. Thank you so much and we're really hoping to have an interactive session as well so please do feel free to continue to watch questions as I said there will be an opportunity at the end of the record conversations as well but if you want to raise questions then please feel free to do so. So you know what I'd also like the intention from this session is that everyone leaves with an understanding of what the key priorities are and what people different countries are working on and how we can make sure that we continue to inform one another of our work as it progresses. So you know the way that we were thinking about framing this conversation was to kind of think through the various challenges that cybersecurity policy makers have been facing first of all in creating their own identity you know it's had to be generated very quickly and then how that has translated into challenges of securing existing technologies and then moving into challenges that have been you know how we can learn from that experiences to make sure that we're more resilient became more capable of addressing these issues and then in the future also for touching upon cyber workforce and cybersecurity so skills agenda as well as an area of interest. So I think for me one area that I'm particularly interested in is how we can be helping to like play catch up. I think an area that in my experience in DCMS that we had was particularly in light of the Mirai botnet attack was thinking about okay we now I've got so many of these IoT devices that are being used by businesses and by individuals across the United Kingdom and of course across the world and we had to kind of retrofit security into those forms of technology and there was a real challenge of how we can you know create this approach where working in policy is a particular way of operating and which often relies on sort of lengthy consultation processes long engagement with various stakeholders you know and lots of ministerial engagement or a lot of hierarchical processes it can be often can see often I mean we all agree not as fast as the private sector in terms of how it can operate but then there's been a question of how we can learn quickly to try and make the best impact we can within those areas of technologies so you know I think that that comes into this secure by design approach that quite often gets referred to. So I suppose what I'd love to really talk about is maybe start with Bryony understanding a bit more about some of the work that's been taking on in the UK and also as you can talk through both on the PSTI bill but also a bit more on the telco. Thank you very much so just to start a bit about secure by design because I feel like in UK government we've talked about secure by design for quite a long time now so talking about what that actually means is about how we want to secure technology and data sharing systems on a secure by default basis which basically means that we're not retrofitting and we're not doing a security as an add-on. I'm sure a lot of you have heard about the analogies we talk about having seat belts and cars making sure that as you know if we have seat belts that's less deaths. I'm sure people have also heard about that if we have with aeroplanes that we used to have square windows which meant there was pressure on the corners which led to many more deaths. Now we have circular windows which means that this is secure by default and means it's much more safe. So that's something that we I think that's something that's how we need to think about particularly I'm sure we're going to talk more about AI and how we need to approach that. But what we recognize is that we can talk a lot about that but it's actually that's really difficult for industry it costs money it costs time you want to go quick to market it's really really difficult so actually how we work together to make that as enforceable and easy as possible is how we can actually achieve that. So in April we issued some guidance with a lot of countries with Australia with the US and a number of other partners a bit of a roadmap of how you can how companies can do that and that's meant to be some really easy enforceable steps. This isn't rocket science what we're talking about this about not having default passwords this is about things that should be being done by practice but sometimes that's really difficult when people are not thinking about security as you know because you want to go quickly into the market. So we're doing that via a variety of initiatives and I know there's a listening session with scissor later to go through some of that guidance slide by line and get some feedback but some of the things that we're doing in the UK to enforce that is with our product security act which was bought into force last year and will be made law by April next year that's about consumer devices and what we've done is takes this much a very evidence based approach so this was taking evidence from our National Cyber Security Centre to look at where we see the most threat and where can we do things that make the most impact and that's by three steps. So one is not having default passwords, one is having a mechanism to report vulnerabilities and the third one is the manufacturer to be transparent about how long that device will be updated for. The really great thing about this legislation is that it can be updated this is very much seen as the initial raising of that resilience but was something that we can potentially look to build upon in years to come and I'm sure we'll go talk a bit more about the CRA but there's something we see as something that is very much in partnership and something that we will see to be that we will continue to assess and see how both those bits of legislation grow. The second bit of legislation which came into force almost two years ago now is the telecoms security act. This is really to recognise that telecoms and networks are the backbone of how we manage our everyday lives and we talk a lot about in the UK about making the UK the safest place to live and work online and this is seen as the backbone of how we do that and there's a ton of work that went into inform that work about we had diversification strategy, we had what we're looking at, there's the network, we're most vulnerable to threat as this is like I say a very evidence-based approach and the aim of that legislation is to raise the resilience of networks and to make sure that they, there's that's the most threat are resilient as much as possible. So that's something we're really proud of in the UK. We still got a long way to go, we haven't fixed everything but it's something that to us, those two areas is a real key of how we can raise the overall security of the UK and indeed the world. I think that's amazing to hear about and I think something that may be interesting for participants who may be not familiar with the intricacies of UK parliamentary law is there's sort of, there's the distinction between primary legislation and secondary legislation and in both cases those bills are what we call primary legislation which meet up on the statute book as an independent piece of legislation which takes a long time to get implemented because there's a lot of parliamentary time that goes into that process. So the competition internally to secure a spot in the Queen's speech which generates the kind of, which where all of the, what bills will be introduced that is very competitive but once you're on that statute book it becomes much easier to add regulations so actually in terms of creating the capacity to be more adaptable there is a distinction between primary and secondary and that's, I'm sure that maybe in other countries as well but I think that's a really important part for both the PSTI and the Telco security bill is an important distinction and I think helpfully as you know a big challenge that I think legislation faces is how can it maintain, how do you avoid becoming obsolete by as soon as you become implemented because there's technology moves so quickly that's very difficult so my hope is that by having that process and that engagement with industry and that engagement with security communities you're able to make sure you're fit for purpose in that way so yeah I think that's an important point as well definitely. Adam do you want to talk a bit more about some of the things that have been going on in Australia on that side? Sure and I'll stop by outlining Australia's position in our region in 2017 in recognition of the tier added geostrategic environment we found ourselves the strength government made for the student to introduce legislation which would require our telecommunications companies to not have vendor equipment in their networks that came from countries which were subject to extra territorial direction then we went on a journey over the next few years to outline what we considered to be critical infrastructure assets so we have applied through legislation that was introduced in 2018 and we've defined 11 sectors within that there's 22 asset classes and those assets are required to report to the Australian government their asset holdings their ownership structure so we get an understanding of which countries have the ability to direct operations in Australia critical infrastructure they're also required to mandatory report cyber incidents in the same way that the OASA is developing CECI going through the rulemaking process for CECI it's a very similar mandatory reporting obligation the timeframes are very much aligned the next element of that is a is a requirement to develop a risk management plan and as part of that risk management plan cyber security is a critical element and we are requiring entities to develop a plan that uses an internationally recognised framework so NIST is one of those frameworks that we allow our asset providers to use we also have designated some assets to be systems of national significance so you might have heard in the US there has been consideration of introducing legislation that would designate systems CICI or systems of critical importance and so we've done that for 82 different asset classes so we've outlined 950 assets that we consider to be critical infrastructure and a subset of that which we consider to be systems of national significance there's 82 of those so we are working with those assets those operators to put in place incident response plans they'll also exercise with relevant agencies including our Australian cybersecurity centre they'll be required to provide systems information where necessary we also have another obligation under the legislation which is allows for government assistance measures so that would allow our government to direct an asset to do a certain thing or in extremists in the case of a near wartime environment we would direct an asset to do something and potentially take on responsibility of their system so we have we've seen the situation in our region to tier 8 we understand that there's a significant risk to them and we're on this journey to build the resilience of our critical infrastructure it's in its infancy we've just this month introducing the risk management plan so we're yet to do a full analysis of what it looks like and how it has improved the resilience of our critical infrastructure in Australia I mean I think that's thank you very much and I know that there's a lot of different frameworks that take place and under consultation as well and Peter I know that there's a lot of work that's been doing on in the European Union, the Parliament, the Cyber Resilience Act and also other pieces big legislation there which have looked great to hear your views particularly on that process of catching up on those existing technologies. Sure yeah so firstly just as a preliminary remark the it's important to understand the way the European Union is established it legislates in areas where individual member states within the EU have given it authority to work together on behalf of all of the member states. Technically there is no reference in any of the EU treat is to cybersecurity being a policy area that the EU is allowed to work on so there's been some sort of delicate footwork over the last 10 years to try and identify areas where the European Union can act we've had NIS and NIS2 the two cybersecurity acts which established and improved the European agency for cybersecurity and NISA and there's also with the Cyber Resilience Act particularly given a basis for legislating on issues regarding a sort of common approach across the European Union for market in for the market of sale and availability of goods which have cybersecurity implications the reason I mentioned that is because a lot of things like critical infrastructure for example are exclusively national competencies and for which the European Union doesn't itself have any competence except for on a coordination basis. I think in terms of the substance of legislative work we've taken what we call a sort of ecosystem approach recognizing that this increasingly complex ecosystem of devices, services, interfaces between digital systems and the real world. The data that's driving and feeding those systems the software the algorithms the learning models and everything else together represent a both an opportunity and a threat and a risk to having real world impact either to citizens to infrastructure to people and services in the real world and that sort of ecosystem approach underpins the work that's being put forward in the Cyber Resilience Act which itself is one piece of legislation alongside others that have gone through this current legislature of the Parliament including NIS2, the EIDAS which is the European identity scheme, the AI Act, the Data Act, the Data Governance Act and various other pieces of primary legislation coming out of the EU. I won't go into all of those because it's just a vast area but just pick out a few points of relevance I think for on the Cyber Resilience Act. Despite its name it's really looking at that domain of connected devices. The lawyers deliberately didn't want to talk specifically about IoT but it's the again it's that sort of part of that broader ecosystem of the interfaces with the real world and the services and systems and software behind those that directly interact with those actuator sensors and IoT devices. The general approach which I think Brian mentioned as well from the UK government approach is largely a risk based one where we've classified different products and services on the market according to an initial evaluation of what the risk levels are. The lowest risk being you're good with what's with your product as it is at the moment. We then have sort of two regulated classes, class one products and services which are those which are considered lower risk but nonetheless presenter risk which is where we are looking for what will be called the European Union Declaration of Conformity so similar to the SDOC that you see in a number of other countries and then the class two which is the higher risk which requires a third party certified conformity assessment to be done. The act itself is broken down into areas covering the security requirements sort of minimum security requirements and I think they're very similar to the UK government's approach there requiring the products come on the market are secure and patchable and patched through the life the declared life cycle of the product so if someone says we think this product is going to be on the market for 10 years they've got to assess a test to and have an assessment that their products are indeed being maintained patch updated or whatever for the entirety of that life cycle that no product comes onto the I have to say this with a straight face in this audience and in this event but must come on to the market with no exploitable vulnerabilities good luck within that one exploitable vulnerabilities not exploited known exploited vulnerabilities but as a political statement it's a it's a good starting point to come from interestingly and I think this is where there's a bit of a difference and we move ahead of ledges which is elsewhere in the world is two things about updates and patching one is requiring manufacturers to have two paths for updates one for security updates and one for functional updates allowing and actually by default ensuring that security updates are on by default and don't require user consent whereas functional updates should be separated out and and have a possibility for the user of the device or service to determine whether or not to update the functionality but to separate the two out and I think that's an interesting element whether it's again whether it'll hold to you know the test of time we will see the second one is the idea of and I think many of us have seen that in operational environments where you want to sort of default back to a factory reset you're not sure about the vulnerability of something so you want to go back to a starting point and but requiring that you can do a factory reset together with all of the security updates that have been implemented up to date so you may be able to have a situation where a product has been securely and safely updated and those updates are that the security updates are maintained but you want to default back to the original settings for many of the other aspects I think that's that was another interesting aspect the other thing is unlike in cybersecurity legislation elsewhere and because of that bigger ecosystem that I talked about so the Cyber Resilience Act also covers issues about confidentiality integrity and availability of the data and requirements that data particularly personal data is compliant with the the more well-known GDPR the data protection regulation of the EU but also a number of rules governing the use of use of data by those devices and by the services around those devices I think I'll leave it there at this stage I mean we could say broader conversation so one thing for me is interesting is that is the relationship on the just on the IoT side is the role of standards and how they face each other right that'd be interesting yeah indeed so when I mentioned about the class one and class two products the class two products are the ones which require a conformity assessment so to do the conformity assessment you need to have standards against which you're making an assessment and doing a certification the problem we have there and it's both a sort of geopolitical battle as well as a purely standards technical battle is there isn't really a lot that in the standards world that we can base ourselves on as a starting point and what they've taken is okay there is a European standard the Etsy three three six four five which I think other people have reference but beyond that the and this isn't a issue limited to the Cyber Resilience Act it's more a general principle about EU legislation but when standards and conformity assessment are required there is a very laborious and Eurocentric approach to standardization which requires firstly that the European standards bodies are given instructions to do a sort of survey of what standards may be in place and available to that conform with or that align with the requirements of a particular piece of legislation only then determining whether there are international standards through ISO IC ITU that fulfill the requirements of the legislation but more often than not we see and it's a practice the European Parliament been trying to push back a bit on which is the European commission as our executive branch sort of defaults it's sort of knee jerk a reaction is if we need standards we go immediately to the European standards body and create something new which may already have been created or established elsewhere so there are some let's say some geopolitics involved in that it's not just purely technical issues I think it's really interesting on the standards bodies because that's something that again that the UK government when it was helping to deliver that the product school to help communicate infrastructure act was helping to think about how it can recognize and refer to existing technical standards and make sure they are embedded or referred to in the way that regulation is drafted and of course to make sure those are then updatable because to try and resolve an issue where you just refer to something which has become obsolete and I think within the standards body something that I've seen on IOT specifically is a lot of organizations are starting to map out the relationship between the existing standard bodies and the outcome and the sort of the terms within it so it's so to try and diffuse sort of that geopolitical issues where people feel like okay we have to go with this one because it has this particular association and actually try to move to say well actually there's kind of universal consensus around these particular points and that I think is something that is a view that we're looking to aim towards is sort of helping on that front Yeah and I think just to round out that the I'm speaking you know purely in person capacity here as someone who's been working standards work as well about the last 30 years standards are not a tool for regulation they can help underpin it but neither are they are they are an alternative to regulation for me I've always seen sort of standards being a sort of bedrock foundation on which regulation business to business agreements and other sorts of deals can be done where you're you're agreeing a common basis to do that what we have seen historically is for a lot of areas of legislation in the European Union standards have been developed as a tool to implement legislation rather than being seen rather than looking at the sort of panoply of standards available and say well actually the requirements in this standard or this standard meet 90% of our requirements so we don't need to go out and build something new and for the 10% that's missing we will do whatever's necessary to build that up and try to get into that mindset of using and reusing existing standards is becoming increasingly important in that international corporation and mentioned about it but the Council which is a big political cooperation between the EU and the US one of the streams of that work and we've seen that elsewhere in Quad Alliance in APEC in in the India UA EU trading technology environment and others is recognizing that if you're going to trade and improve the markets across those geopolitical boundaries it's easy to do that if you're working on the added basis of conforming to agreed and common standards which everybody's used. I think there's another thing just on that point and we will move on I promise but just on the the role of recommendations from international organizations so I know this is something which again it's not there's the role of technical standards and there's also particularly for countries not for the United Kingdom but for others as well is how can we how can international organizations play a role to help kind of share good practice recommendations that can then be used by come by countries that don't have necessarily the same level of cyber capacity so you know the OECD recently published series of recommendations around management vulnerabilities and also the management of product security so those have been helpful in terms of they've gone through a process where they've been ratified by the 30th member states and of course they they don't go into technical detail that you would expect in a technical standard but it is a helpful starting point and a helpful tool to share in terms of that capacity building for countries maybe where you don't have the level of resource that you would have in say the United Kingdom or the European Union or the United States or Australia and I know that ORI has done a huge amount of work as well in his role with Latin American countries we know of course because Tariq had a devastating attack in the North East and past and it would be really helpful ORI if you could share some of your insights working in Latin America and then also you were saying that in Kenya and Africa as well it's be fantastic to hear from you as well yeah comment on this point that on the you use this term countries that have less capacity and I think it's important to point out like that that's not always let just Latin America or African countries I mean when I was in government we met with the Norwegian military and the one of the lead civilians there said you know I don't think you guys realize how much impact you guys actually have on the rest of the world when you put out a new policy and I said you know we really think about what issues we want to lead on and how we do she said no are you really like when you put out a policy we translate that policy directly into Norwegian and then we take the cover page off and we put our cover page on and that's our policy right and I think that that I mean I think UK has some of that impact as well and I'll show you probably regionally that's what the EU wants right that's the kind impact and that's part of the standards the geopolitical kind of uh overview here but I mean US is usually standardizing before and then bringing it to the international arena and then pointing to an international standard in most cases um which is what one of the reasons the EU wants to work around it but we could go into some of that more later on but um I think that's you know some of the idea here but that's Norway right Norway is a very wealthy country they just don't have this the capacity to have the kind of policies that the UK the US Australia do and and maybe Germany France some of the some of the EU countries do um so which is which is interesting in that way and I think that they you know we have seen Latin America basically do is take a similar approach to some of these things especially as it relates to what they tell their agencies to do but then the agencies themselves don't have the ability to follow those policies that US agencies do so they have these policies like you know Mexico put together it's and Brazil both put together cyber strategies over the years and they're very detailed and they look a lot like the US strategies do but do they have the ability to implement them and so we've seen these countries do that usually um and this is kind of the big trend in the region is usually cyber security has been run out of the might do regulation and internal controls or the CIO's office you know federal CIO federal CIO for federal agencies um and that's who runs it um Costa Rica had that this huge breach uh last year um which was a ransomware attack shut down the government the um it was like right at the time of the presidential election it was a total disaster for the country they still have not recovered there's still a lot of the agencies are still offline um the US gave them 25 million dollars uh and a plan that came from MITRE and Carnegie Mellon about how to how to respond to it and uh they're still working their way through that in Costa Rica right now uh 25 million dollars has turned on not to be enough for them even even with that to go forward um they just don't have the internal expertise to be able to deal with this kind of situation um and we're seeing that uh other places in that rate really um Mexico also last year had a had an incident uh which they call uh Guacamaya uh Breach Breach and that the that led the President there basically to say the same say publicly we just don't have the expertise in the country um which is something that a lot of people that that a lot of us that have worked with Mexico knew uh but they adopted admitted publicly before they want to now build a cyber security agency there we see the same thing in Brazil as I said there's legislation to do it to have a a cyber security agency um uh Columbia also is talking about building a new cyber security agency in a similar way uh it has not passed yet people thought that it was going to and it did not get uh to that point but Chile seems to be the first that actually is going to go through and uh move forward with that idea will it work for them? you know we hope that it will help them bring a more of a workforce and you know structured approach to it that's not just to kind of follow on to IT IT management right that is some people are looking at this from this real true security point of view and bringing in and building a workforce uh that can do the work inside the country um so I think that's what we're seeing in the region there's other trends too but I think that's the one that uh is probably makes the most sense to go over since we've seen so many so many different countries now uh take that take that same path um Africa is is not in the same place I mean uh uh recently um this year Kenya had a uh an incident um that they had a lot of trouble recovering from as well there's still some signs signs that they are uh um there's some signs that they're past it at this point but it took them a long time to get to there and there like the most advanced uh I want to I want to say number one I don't have a ranking to go by here uh of African countries but are the ones that we've worked with the one that they're very very very high up very and have more of a workforce in African countries too but yet they haven't been able to respond to this incident and they were not prepared for it um other African countries not prepared at all um so we're hoping that the the kind of the uh you know silver lining from the Kenyans are similar to what we saw in Costa Rica that there can be this kind of public uh awakening uh around this from from the politicians on this that they can that they need to put more um resources around or and in this case they ask your your up in and the US for resources to be able to help them uh build cyber defenses um the same way that they ask uh to build physical defenses so that's where we are I think you raised really important points about the importance of kind of workforce strategy and the I think also in terms of your point about strategies being beautiful and generated and you know a very nice document but then in terms of the implementation within that difficult to track again which comes back to the expertise point but also how do we make sure that you know I think if countries are now getting to a point of recognizing the important role of having national participation important and I think there was a time in 2017 when Mexico had the federal police right there strategy and it was very very militaristic the first draft was very militaristic and um made a lot of people really uncomfortable inside the country especially because they had had so many problems with activists and going after activists and a lot of concern over it industry and did a there was a study of at the time that was done looking at what industry looked like in Mexico and where they needed to improve but I still think that in the end that strategy was still something that was unrealistic for them to implement given the workforce which goes to your point okay and I think so bringing it back now to the UK Australia and Europe I think of course there's been a lot of work creating when I joined the cyber team in DCM I think there were 30 people and by the time I left it was about 200 so you know you saw a huge growth in the level of resource needed to help work on these different initiatives that were taking place um and I think that we now have a position where it's a recognised area within many government operations it's a recognised policy function and it has a series of roles which are being now what we see is the most important policy considerations for this year and for you know of course we've got a lot of technologies that we're probably going to talk about including artificial intelligence so we'd love to hear your insights on that front so Adam can I start with you on that one sure and I might go back a step just sorry could I ask you please to keep the microphones closer to the speakers if it's more than about eight inches away from you you're in heavy competition that's good advice um so I might just go back and give some context as to what we've seen in Australia the last year year and a half um we late last year suffered two significant data breaches um the scale which affected uh the personal data of about ten million Australians so they were an attack on our second-largest telecommunication company and our largest healthcare provider and that was a moment in the way that Australians think about cyber and data security um in the same way that I think colonial pipeline was in this country it also was politically seismic and meant that we for the first time now have a cybersecurity minister within our cabinet um so the highest levels of government um and we've gone through a review which essentially found that um in Australia at a macro level the maze of uh unclear regulation and government doesn't provide the type of clear direct directives as to how to best uplift their cyber security um nor does it clarify obligations on data security and classify what is considered to be the most sensitive data that um organisations in Australia hold so that all brings us to the point also where we recognise that there's not much that we do need to ensure that industry in Australia has the right top of visibility of the threaded faces that brings us to the point where we now are developing new cyber strategy to Ari's point we've been monitoring developments in the US very closely and fundamentally in Australia we are philosophically aligned with the new US strategy we recognise that moving the burden to those who can best take on the risk and secondly incentivising long-term investments unlike other countries Australia does have the capability to move quickly on legislation and also the capability to deliver on our stated goals so we are hoping that we can actually go further in terms of implementation and the US can by virtue of the legislation that will deliver to the US so the UK published its cyber strategy about a year and a half ago so hopefully a useful blueprint for the US Australia but the whole message of that strategy was that this is a whole of society effort we can't do it alone in government we can't do it alone in industry we can't do it alone in academia we have to do this all together and this strategy recognises that this is not about the UK anymore this is about the world because obviously as everyone knows we can't just just work one part of the UK but obviously a strategy it's only all very well and good but it's not worth the paper it's written on unless you actually do it and actually carry it out and so I know the US have done a brilliant implementation plan I'm sure Australia will do something similar but that is something that we're really actively taking forward what priorities for the future Peter so for us is the horrible term of emerging technology and I'm going to go to the debate what's emerged and what's emerging but you know for us there are two broad buckets of we have technologies we need to care about today and then ones that are in the future that we still want to care about but we need to think about putting that the security principles in place so the ones we're really focused on at the moment in the UK today is AI and there's lots of different areas I could go on and on about but it's something that the way we're taking really seriously and that's something that's really fun to the centre of how we implement and going back to what I was talking about earlier about secure by default is there something that is very much the core of how we're approaching those technologies and making sure that a security approach is embedded right from the start and so we're looking to take how we're going to take forwards a broader package of different pieces of legislation which one advantage we have I think as a national parliament as a European parliament compared with others is that there is a agreed sort of legislative program over a full five-year period where the European Commission is responsible for drafting and putting legislation on the conveyor belt and where parliament member states represented in the European Council have the final say in that legislation so we're coming towards the end of the legislature there'll be elections next year and I'll come back to that because that's another relevant point in a moment so in that whole period we've had the Cyber Resilience Act we are pretty far along now with the Artificial Intelligence Act as well which has been after I think it was 7300 amendments tabled discussed and debated within the European Parliament to get to a compromise where we now have a solid negotiating position and that's not the end of the story because parliament has its position the European Council has its and we have to sort of now reconcile those two versions but there is there is the legislatures sort of feet being held very much because under EU our internal rules any legislation which isn't passed and adopted by the end of the legislature our last legislative session being in May next year falls away so even if however advanced the draft is it's not being written into law you go back to you go back to Square One so there's a real push to get all of these pieces of legislation through in terms of challenges for the next year then I mean I mentioned the election coming up European Union the European Parliament which then is plays an important role in the nomination and final confirmation of the European Commission it's a five year process in the US you've got a two year congressional process for the election of the whole house and a third of the complete six year period and the presidential elections over a four year period so anyone who can do the maths sees that the common denominator there is 20 so every 20 years we have the same year we have the same we have the elections of the European Parliament at the same year as the US presidential and congressional elections so 2024 is going to be a big year for us because of the issue of disinformation and election integrity and election security this is requiring already quite a massive mobilisation both within the institutions in terms of cyber policy in terms of policy operational cyber policy we face we're trying to face that with a severe skill shortage in a situation where budgets are limited where it's difficult to get any new staff to give you a sort of flavour of the importance of it for us of the total complement of new posts that can be filled and have bums on seats and actually doing the work something like 55% of all new posts are in the field of cybersecurity across all the European institutions so it's seen as one of the most important growth areas however and I'll be the first to admit this the sort of people who want to attract to those jobs not that interested in working as career bureaucrats like myself I'm dressing down this is my idea of dressing down so we've got to find we've got to be realistic to find talent that will work for us in an environment where they're comfortable I mean the career structure isn't attractive for people involved in cybersecurity the salary at least the initial starting salaries may look relatively attractive but for people who are used to a high degree of autonomy to be driven by clear objectives and wins over short periods of time the flexibility of where and how they work off from the starting point we're not an attractive proposition for people in the field of cybersecurity and we recognize that and part of the problem we have is where for most posts that come available for recruitment we have a ratio of something like four to five hundred candidates per post we are down to a situation where we're barely getting the number of candidates for the number of posts available in the cybersecurity field so we've got a problem and we recognize it we're addressing it at the moment the way we are addressing it is through third parties so we're using contracted service providers who themselves can then take people on on a much more flexible basis and have sort of service level agreements with us in terms of what they deliver and that's proving useful and is patching both literally and figuratively patching some of the problems we have in terms of capability but as a long term solution it doesn't work our public procurement rules are also lengthy and clunky and having contractors on board and having them recruit people according to certain criteria it's a very complex process so the appeal there I think is to recognize that it's not a sort of come and serve your country of appeal that the the US or other countries can offer to hackers, analysts and others in the field that would not normally look at these as career opportunities but we are appealing because of the attacks of against the parliament because it stood up in support of Ukraine against the Russian aggression we provided practical support for the Ukrainian parliament and we're paying the price in terms of an uptick in attacks against our infrastructure and we are starting to ramp up this issue about appealing to public conscience also saying this is not just about defending a great distant bureaucratic institution it's about defending the integrity of the democratic process elections generally and that's yeah that's what I'd say on those net Thank you Peter and I think definitely keen for us to have a conversation about about skills because it's definitely it's coming through as something which as we're facing future challenges how are we preparing ourselves for them so perhaps Ari what I'd love to talk you spoke briefly about the effectiveness of mexico adapting its approach in light of feedback in terms of developing its strategy there are lots of tired tropes about what it's like working in the bureaucracy what it's like working in government I'd love to say they're all untrue you can still watch episodes of yes minister and I think people would agree it's still there but I think there has been I feel I have felt like an adaptive approach of how we can be more outcome focused how we can prioritise the areas which make the biggest impact on people's work could be online but I'd love your thoughts the UK has done a great job NTSC has done a great job in terms of the consultations if anything sort of maybe maybe we've been deluged with consultations like deluged by transparency from the UK which I'd much prefer over the opposite so I don't mean that as a criticism but it does get hard if you have five consultations at the same time it's like even in the US it's like we don't have that many cyber policy full time cyber policy people commenting so I think spacing them out is helpful but also understand like your politicians I want to get stuff done now so that becomes harder we're starting to see that in the US we're probably going to have three RFIs in the US within the next two months there's one now that's going to be extended so we have three that we have to comment on there so it's a similar situation that I think it's great though because the RFI and the consultation process leads to a much better first draft of a product policy product or legislation than what we would have otherwise so obviously I prefer them to be spaced out but that would be good I'd say Australia does a very good people when they put something out that they feel like this is something we need to get attention to like we don't want to surprise anybody when this is happening Adam does a particularly good job of it so I can praise him on the panel but I think you know they've had us testify and set the time for the testimony in a way that we could actually testify which like most countries don't want foreigners to testify and they're like actually purposely seeking out and asking for it to be helpful the EU you know not the structure is Byzantine in the first place so it's hard to like if you're not actually in Brussels I think it's very difficult to figure out even where things are and the commission does not reach out that way Parliament does I mean members of Parliament come on tours and they want input so that's helpful I'd say even the the council member the council staff when you go visit really does too want input the problem of Parliament is that they have a lot of issues and the members themselves are not educated at all on what they're voting on or what they're doing and things come through quickly and so only yeah it's sort of equivalent to Congress actually I'd say the congressional US Congress staff now with like probably a little bit better educated than the the elected members staff and then the elected members are about the same maybe worse in the US but depending on who it is because a lot of times you get young people in European Parliament that are rising stars and then they know a lot and they're very they want to engage on these issues but it is complicated and even just that you have these three places to go to and the commission sort of puts you off for a little while and then it's they're like oh no we can't make any changes so it's it is unlike other places and it so that has been difficult to I don't know if that answered the question but it kind of gives you the I enjoy the reference of deluge by consultation I definitely feel as though what's been effective for me has been like to be able to be transparent with communities to say no we do read we do actually engage with what you share with us and we try to adapt the format to make it not overly burdensome so it's not just you have to have a government first division in order to fill this in but like you can contribute your insight like in the in the US sometimes you'll get something from an agency that is like a spreadsheet and it has like oh you gotta fill in this box and it's only a thousand characters right and I'd say the NTSC is the opposite of that it's like you know here's here is a lot of questions you can fill out whatever you want you can not fill out what you want it can be as long as you want to make it etc which I think is great it makes it much easier to comment and some of you I'm not saying all US agencies tonight some US agencies have that approach too but that I'm sure for some engineers that that little box is very helpful but for someone that's trying to give full some viewpoint and you only care about one issue having a hundred characters is not very helpful so I think it can be challenging to know who the right person to contact is and actually to help decipher the complexities because I think it can be sort of potentially quite burdensome insight about how can I engage with my government how can I share feedback and actually to try and make that process as simple as possible yeah I completely agree that's something which there's still more to be done and it's inconsistent but I think that's something which I think does help in how things work I'm a bit used to mention the AI work that's taking place in that kingdom I'd love to hear a bit more from that yeah of course so I think obviously we've all heard the terrifying scary stories about AI and I think the predominant feeling in the UK is that what we've got to remember is that there's a lot for good as well and everyone knows here about all the things that you can achieve like coding and drug discovery I mean in the UK government we're very very excited that this could solve our expenses issue because I think if that could fix that that would be great but yeah we're obviously very conscious of the risks as well I think what we're feeling is that it's akin to a lot of the 90s with the sort of exposure of the internet and not the hype and the excitement that was around that and obviously went really fast and security wasn't a integral consideration so what we want to do and going back to what I said earlier is like let's learn from those lessons from the past and let's make sure we're doing this looking at security and making sure it's embedded now because otherwise it's going to be really really painful if we have to retrofit in a few years time and think about how we want to manage that so that's what we're looking at at the moment in the UK and we've published a number of papers on potential regulation from desits the Department of Science, Innovation and Technology and we've also published on the National Cyber Security Centre's website and some principles so that's something that is again as for all of us it's going to be one of our number one priorities and going forwards our Prime Minister announced when he visited DC a couple of months ago that there's going to be a global AI summit in the UK in the autumn that's going to be looking at safety and working with other countries about how we can think about building on things like the White Houses and recent voluntary commitments and thinking about how we can do this together with these internationally. Great. Thank you. So I think something that's really come through as a bit of a theme here has been the important role of capacity building and of how can we ensure that we're preparing the cyber workforce so I'd love to hear perspectives on that side so Adam is that something that you can share a bit more on Australia? Sure and so we're in the midst of developing a new strategy with the responses and as part of that there was a recognition that Australia if we continue with the current dynamics in terms of our workforce and our skills we'll have a shortage of 46,000 people by 2026 and so in recognition of that the government is considering a holistic approach to the way that we develop skills and a cyber workforce in Australia so one of the things that will come will likely come forth in the new strategies for first and secondary school students so that looks at not just cybersecurity but also online safety as well and literacy the second is a professionalism scheme so we the feedback received was that there's not enough understanding of what are the standards to meet cybersecurity skills in Australia and the third is a recognition that there's elements of our society that we can inject into cybersecurity if we give them the opportunity to return to work through schemes that will work for migrants mothers returning from work or other people who might be returning from the disability et cetera so there's kind of three key elements to the cyber skills conversation sorry the workforce and skills conversation in Australia at the moment I talked a little bit about the skills I won't repeat any of that the only other element in the cybersecurity sector it's been added by the parliament it wasn't in the original commission draft text is increasing funding and support for the European cybersecurity agency and ESA and particularly for its work on developing sort of the cybersecurity community practice and of of facilitating the exchange of competencies with the national cybersecurity centres as I say cybersecurity isn't an EU competition so that's why we have to sort of dance around the legislation a little bit in terms of doing this but there was pretty much universal support with the idea of you know not in ESA taking over from the national cybersecurity centres that's never going to happen we just don't have that capacity but improving the exchange of experiences and looking at standards of exchange on new exposed vulnerabilities or attacks and being able to improve that in an environment which is you've got to remember the European Unions 27 countries European Parliament's made up of 700 members from 107 national political parties working in 23 languages where the legislation that's implemented is implemented in those 23 languages so you know excuse a little bit if things are sometimes a bit complicated but even at this level you know everything working on cybersecurity at a national level English may be the lingua franca for a lot of operations and a lot of stuff but you cannot impose that on a country like Romania or Serbia or Estonia that their workforce exclusively work in English so you've got to provide that competence also on a multilingual basis and I think that's the other thing the only final element I'd mention is and I touched on it when I talked about election integrity and that is there's a call from a recent report of the European Parliament on election interference and foreign interference is a call to the member states to make election systems part of classify them as critical infrastructure which is not the case at the moment Thank you so I think the only thing I would add is what a consideration for us for the next year is going to be looking at cyber skills so for us in the UK it's there's no point that's talking about increasing resilience it's critical national infrastructure looking at the threat if we just don't have the people to do it currently in the UK we have a gap of 11,000 jobs and our cyber workforce has needed to grow by 50% over the last four years so there is a bit of a tight spot so what we're really clear and what we want to do for young people and do people who know mid-career or any point in their career is have a really clear visualization of what a Korean person is like so we talk about teachers we talk about lawyers we have children who want to do something like that at the moment there isn't a clear career path if you want to become a cyber professional so over the last two years we have worked really closely with industry and a number of other partners to think about how do we create a clear career path for the people who want to get into cyber so that has led to the creation of the cyber security advisory council which is an umbrella organization to create that career path we're not saying that you know there's still a long way to go and we're still doing a lot of consultation there's currently 16 different specialisms within the cyber security council there are different areas of accreditation but what it take tries to take is a holistic looking at all the different things that you can do to qualify in cyber so it's someone who did like for myself did a linguistics degree it's making sure that we can value all the different things that people bring to the table on cyber and making sure that we're all recognized but also creating that clear pathway and creating a clear visualization for what people want to do by working in cyber I think you mentioned earlier about the consultation value it would be great to hear a bit more about what you'd like to see more of from what you've seen some countries do really well in addition to that and then what maybe you think we should be doing more to help us get to that capacity issue bit sooner yeah I mean the developed countries and the non-developed countries and I think from my point of view a lot of that has been that we have to get much more think about getting much more diversity into the structure I mean one thing that the UK has done is they had this effort to bring like I forget what grade level it would be here but girls at a certain grade level they have a competition on the girls can enter on skills that leads to towards cyber security and have a challenge for them and had a ton of participation ton, ton, ton participation and got national write ups and things like that I think we need to do a lot more of that but that's like planning ten years out right and I think that might be the path we do have there is this kind of challenge you're talking about AI right we're going to automate a lot more of security and at the same time like we want to get more people into these jobs who then their jobs might disappear as well so I think that there is a little bit of a challenge on that side of it but the I mean there are still so many cyber security jobs right now I mean that what what Peter was saying in terms of the number of open vacancies if you look at what we have in the U.S. the cyber seek page that that nice puts together an S they have I think it is the number of open jobs is equal to the number of people in that are qualified for those jobs so if everyone switched obviously you'd have all the other new jobs open up right so it is not like it's just a we have to bring down the number of jobs and automation can help with that to some degree we also have to get more people into the workforce that diversifies the workforce and think more differently about who those people are and it might mean thinking ten years down the road in order to get enough people to do that and to bring those kind of challenges because you're not going to just you know the other key to that this is a lot of those jobs aren't the entry level jobs right if you look at the job categories most of them need five years experience it's the baseline so how do you get three to five years experience right so there is a lot of this discussion about apprenticeships and things like that in order to get there but we've got to think a lot more creatively because apprenticeships are hard to scale so just any of the points that people raise on the skills just what Ari just mentioned regarding our cyber first girls competition which is I'm sorry because yeah they were really proud of the cyber first competition and it's about aged girls aged 13 and they do a coding competition over the summer and it's what we see is this point where in the UK that's where you choose your next stage of education which can dictate what A-levels you do which from university you go to so really it's a real determining point quite terrifying you have to make a cyber sort of topics at that age so this is why that competition is aged aimed at that age to try and tackle that the only other thing I would say is some of the programs we have are starting to see some results so they've been in progress for about the last seven, eight years and we're now seeing some of those people who have went to these competitions at age 13 now coming in as interns into the Department of Science Innovation Technology we're talking small numbers but it's a really good sign before we go to questions Peter you mentioned briefly and feel free to not answer if you can't but you were talking about the importance of elections and the election security component I'd love to hear any more but you have on that side yeah I mean for this audience I don't think anyone needs reminding about some of the challenges that we see in elections already with deep fakes where the video audio but also the way that social media has been used and driven by increasing the automated systems which are bought by let's say either state or non-state actors you know off the shelf sort of disinformation or interference capacities the Parliament's approach has been we had a special committee set up for a year and a half looking at foreign interference and election integrity and some of the issues were sort of pointing not just pointing the finger at online platforms but sort of saying you guys you've got to pull your weight a little bit in terms of trying to either to ban is unrealistic but call on them to rein in the possibility for advertisers to do sort of micro-targeted political campaigning so even in a particular electoral district to be able using AI a malign actor would be able to target an audience of a thousand Facebook users for example in one constituency each with a very different message based on the information and data available to them and to do that to do that well that's what political campaigning is about to do that nefariously and to put out misinformation or lies knowing that one person is going to be more susceptible to something that is claimed in one area where another person would not that sort of micro-targeting is something which we're very concerned about we are calling on the online platforms to take more seriously and more rapid action on takedown of misinformation where it's clear not misinformation disinformation to clarify the terminology where it's known that there are actors that are clearly behaving in a way of promoting false information online I mentioned about the integrity of election systems and them being considered as critical infrastructure the other area which I think is it may be marginal interest but protection of journalists and of in what we're what we're talking about introducing so-called mirror clauses whereby we will provide access to non-European journalists in reciprocity of the openness of other third countries to do the same for us so if you are faced with a country which has a very tightly controlled media where there are no journalists or foreign journalists have very limited access to information well it's going to be a tip for Tata and you can expect to get more limited access to as a journalist from those countries to the political space that we have I think a lot of that is a lot of people talk about AI AI is going to be one of the critical aspects in terms of where we are and we have the whole AI act and I'm not going to go into any of the details about that but this issue whether it's for us operation in the parliament to have sort of transparency or insight to how algorithms are being used for a service that we may buy in off the shelf to help some of our internal work to know that it's that the service is reliable that it has high level of integrity that the data source is being used or whatever are known that there isn't data poisoning upstream before the algorithms or the language models are being used or deployed these are all issues about transparency which have a clear relationship to the whole world of cybersecurity because you want to you want to keep the integrity of that whole chain of training data operational data synthetic data or whatever coming through those models before providing support whether that's in terms of our operational systems whether that's in terms of what gets pushed out in mass media or online and social media that interface between cybersecurity challenges and AI I think is going to be an increasingly a headache for us in the coming year Thank you Thank you very much I'd love to hear any questions that we have as well so please do feel free as a microphone here we'd like to anyone would like to ask a question I wanted to hit on a couple of points that you talked about especially as it comes to two issues that are kind of related in the way that they have their impacts in their respective ways and that's the kind of implication of enforcing a national or international at whatever level cybersecurity policy on small businesses and also kind of conflated with a separate issue and that's what we spoke about as far as Mexico that cybersecurity policy looking at for example Africa and developing into a more modern internet connected world kind of the similar impact on small businesses applies to smaller countries for example complying with GDPR is a challenge for small businesses as well as it is for smaller countries to comply with those kind of internationalized cybersecurity policies so taking into account for example the geopolitics of Russian and Chinese influences knowledge transfer to smaller countries and smaller businesses how to comply with those cybersecurity policies what do you see as the most feasible solutions for us to be able to kind of prevent conflating national security with cybersecurity and be able to share that information and that knowledge with smaller businesses and countries to not impose a greater cost on them to comply well a lot of countries have actually have kind of like the minimists rules so Japan and their privacy you know this is the minimum amount of information you collect and also here's the number of like how small like your income is and et cetera and kind of has some degree of changing that based on that obviously you don't want just because someone doesn't make a lot of money or it only has a couple employees but collects information on the entire world you don't want to like totally get rid of everything so there's a balance there especially in the privacy discussion about the separation of national security and cyber security is a good one and having an understanding of like the impact like the broader impact that you're having on the economy when you come up with these rules and how do you go about it affecting small businesses and keeping that into account as you make the policy and you know one of the things we hear a lot from the EU is don't worry about it we don't have it in the regulation but I mean we don't have it in the but when we have the what's it called the implementing language right it'll be in the implementing language this issue and a lot of the small business stuff that we have raised with the EU they say you know wait for the implementing language I can't say that makes the small businesses I've spoken to then understand what the CRA is going to do very like doesn't modify them but I do think that there is something to be said and and that you know the people with expertise that are writing it you know can go into more detail there and then don't have to worry about you know like this becoming a thousand page regulation in the first place right but the implementing language can deal with it so I think that there has been some more effort to deal with small businesses and kind of like implementing language so actually in the CRA there is in the primary legislation there is direct reference to small businesses with certain exemptions in terms of how they implement but also support for small businesses for example to engage in the standardization or conformity assessment processes or whatever and giving them a bit of a leg up the other element and this is a more controversial one but I think it can't be ignored many European Union countries are former colonial powers Britain Britain is no longer in the EU unfortunately but you know France, Germany, Netherlands, Spain, Portugal, Italy little Belgium where I'm a national they're all former colonial powers and the reason that's important is because they still have strong links with those former colonies and those countries which are now independent countries and have a political and administrative culture of cooperation with those countries on a bilateral base and multilateral basis and I don't think that can be ignored in terms of the support that they can provide indirectly to those countries through their bilateral efforts and the final element though I've mentioned is I touched on this trade and technology council which is sort of Jamboree the big wigs in trade which is a very important part of the trade and I think there are particular projects for support in various technology areas for third party countries I think the current ones are Senegal Jamaica Sierra Leone and there was a fourth country where there are particular projects whether it's in supporting 5G implementation security capability to ensure that's not going to get taken over by some malign force to undermine the whole project but so there are various avenues and I would say in addition to which the European Union treaties specifically have a provisions for small businesses so it's sort of baked into the treaties in terms of how the European Union works that's a really good point in fact and we run this group called so which is made up of 250 of the chief of security officers in Latin America and the annual conference here is actually going to be in Spain and the reason for that is not the Spanish government is excited to have it but it was really Telefonica that's excited to have it there and it's to bring in some of these are small businesses they want to fly them over there and they want to like it's actually not the government as much as telecommunications company the large telecommunications companies from some of these from these from the former colonizer right that is engaged in working with them et cetera and we see that with US companies too a lot of the US companies want to engage with them and kind of give support to some of the smaller companies there and get them to buy their products or get the governments to support them buying their products so I think that there is something to that and in terms of the from the from the from the companies involved in the space or the pseudo in some cases the pseudo you know when you have a telecom a lot of times it's a joint jointly run so and just from my side so I have three points on the thank you for the question I think that first of all there is a clear distinction between like national security and digital security as the complexities within that and something that the OECD does because of course there are other organizations that engage on that basis so they work at security within the digital economy which is looking at vulnerabilities that help to if exploited can underpin digital security now of course I recognize that there is the Venn diagrams not two separate bubbles but you know there is an active decision to think well how can we do that and I think a benefit of doing that from my side is sharing information because you can say don't care about sort of the national security stuff but we do need to track how much you're boosting resilience and how helpful way to diffuse that is just focus on the digital security component another thing that I'd probably talk about is the talk about smaller countries again the OECD has 38 member states and produce recommendations that are then shared with and used quite often by those countries that are middle income and also Ascension countries like the Brazils of this world and which the outputs from those organizations and say well how can we look to use these as starters for how we look to introduce policies on a sort of purely very sort of very specific point on IOT security when the UK government introduced the Product Security Telecommunications Infrastructure Act prior to doing so we placed we actually created a grant scheme which was supporting businesses to meet minimum requirements and actually to look at how they can implement security practices within their products and because we recognized that like actually there was the optimistic viewpoint that most manufacturers wanted to do good but maybe didn't know how so we created a grant which supported the development of assurance schemes across connected televisions and also smart connected toys because that's a bit more motive and also just a self-assessment framework that manufacturers could then use and that then came with free training that was available so it's not like a perfect solution something which government helpful to prioritize thinking through how are you making sure that you're not you're balancing the carrot and sticks so supporting manufacturers particularly those at the smaller end where you do want to generate the innovation and I think UK's use of ARIA is a really it's a great example of taking the model from DARPA and looking to how it can amplify it it's a really helpful scheme there as well so thank you for the question any other points to the panel? Quick question yes Thank you all for doing this panel I know most of you as a former U.S. government of cyber officials really great to hear how much commonality there is in the approaches that your governments are taking but as we see increasingly malicious authoritarian cyber attacks by authoritarian governments and increasingly debilitating ransomware attacks the private sector plays a key role developing new capabilities we have new programs like bug bounties that help get at identifying vulnerabilities as you look to the future what do you think what are you most optimistic about that the private sector can assist in doing cyber security because we've talked a lot about what governments can do cyber security strategies workforce development but what are the things that you really want the private sector to launch on that can really help the governments protect their citizens Thanks I mean Brian you talked about how everyone is getting this together I think that's totally true and that we have seen you know the there is the kind of well we need companies to do better in terms of securing their code et cetera but also I do think that the companies are the ones that come up with the solutions right I mean most of the solutions in the space don't come from governments that say oh here's how we can here's what we need to implement in order to make this happen I mean look at even CSRB that just put out this new report the cyber security review board coming on there is FIDO right governments didn't create FIDO companies created FIDO that's a standard that then is implemented by companies so I mean almost every solution comes out of you know companies coming together addressing an issue you know and then that leads to it being standardized and then you kind of have the policies that come over well we should implement this and I think there is some frustration from the way that Europe basically says well we need to come up with a European standard first well the reason you know it's a problem is because there was a standard after already and people aren't implementing it not because we need a new European standard right so I think that is exactly the kind of like we need to be able to get these standards we need to recognize the solution we need to internationalize that and we have to get governments to accept that happen faster than it does today but it's getting it is already pretty efficient of a system if we can get the problem is more getting the people to actually implement it or you know creating the structure in which people are forced to implement it so thank you Rob I was saying the short answer is we need to work on everything together from in the UK we have lots of initiatives like public private partnerships is obviously a buzz word of today but the industry 100 program we have the information exchanges we have with our critical national infrastructure partners the charity sector with academia it's everything it's absolutely at the core of everything we do and we take it really seriously I think what for me is just we have to make it as easy as possible for industry so thanks for the question Rob yeah probably a bit more difficult from a European perspective we're the ones who are always always seen as sort of taking a sort of sledgehammer approach to industry innovation we you know lots of talk about you know there's innovation there's regulation and they're opposed to each other you can't innovate there's too much regulation you can't I think it's the famous phrase what is it you know necessity is the mother of invention when GDPR was being discussed we had a lot of pushback a lot of pushback saying this isn't possible nobody can do this do this and the very cynical amongst the the parliament at the time sort of said you innovate you're always claiming you can innovate go innovate go and find a new model instead of just sort of pimping off people's private data in order to make your money innovative of making money and people did innovate and we now have very thriving business around privacy protection and a lot of businesses made a lot of money out of that so I think there is I mean that's that's one extreme view personally I don't necessarily share that but I think innovation has to there has to be incentives and I think to say you know necessity is the mother of invention go out and innovate if you're an environment where innovation is rewarded and that's clearly the sort of US sort of free market model which makes it very very attractive then Europeans shouldn't be so surprised that some of that innovation moves to the US I mean UK France Germany we have thriving IT infrastructure industries or whatever through the 50s, 60s and 70s we didn't innovate and we didn't invest in those and today those a lot of those industries have drifted away so I think there's a more fundamental problem in terms of providing the incentives to industry to be able to come up with the sort of responses you're talking about and I think that that imbalance between the innovation response and the incentives I think is the core issue I don't have a magic one I don't have an obvious solution to that but I think that's where that's where the real problem lies so it's sorry three points for me so I think the I'm most optimistic about the manner in which we're moving to more it's a more collaborative environment with industry on threat sharing and threat blocking and certainly the JCD construct here while still mason I think is something that we're looking at very closely in Australia and see country as that to work within the five eyes to do something similar the other element to the innovation point is around building sovereign capability environment where there are incentives to do so and then also potentially working within the orcas framework to develop those high end technologies that we all need for the competition that's coming the last point and to that issue as well is working with the quad partners and the ability to bring industry into the dialogue there because the quad which is India Japan Australia and the United States has a huge behind it 28% of the world's GDP sits within that those four countries so the ability to shape and set standards will be pivotal through that bringing industry into that conversation is crucial Thank you all very much for the questions and today also thank you very much for our panel so thank you Arie thank you Brian thank you Peter and thank you Adam and thank you all for joining we will be around and available for some time if you'd like to have but thank you very much and enjoy the rest of your day thank you